Have Online Payments Become Safer Than Offline?

Photo: Walmart

The long-standing narrative of credit card security is that offline transactions are more secure than online. Today, this narrative is more fiction than fact.

Online transactions are more popular and secure than ever before, thanks to advancements in digital payments technology, demographic shifts, and the evolving cyber-security landscape. At the same time, offline payments seem more insecure than ever before. The outbreak of high-profile security breaches at major retailers has shed light on the fact that offline transactions are vulnerable to attack.

These trends lead us to consider a number of important questions that affect every consumer and retailer — are online transactions more secure than offline, and will this realization propel ecommerce into its next stage of growth?

Offline and Off-Guard

The reality is that security concerns exist whether you are online, offline, or on a mobile device. They exist with credit cards, debit cards, and even cash. A common misconception is that offline is safer than online, but this is changing as a result of the massive security breaches that hit the headlines over the past year.

If this laundry list of major security breaches isn’t enough to convince consumers that offline payments are just as risky, if not more so, than online payments, I don’t know what is.

When you physically offer up your credit card in a retail store, that merchant still stores data on a computer; those computers are generally Windows PCs running old-school Point-Of-Sale software and storing data in environments that are inherently insecure and inadequate. To process transactions, the payment application has to communicate with the payment terminal, POS, and payment processor, which means sensitive data is constantly being circulated. This makes it vulnerable.

“What we need to do in the U.S. is completely replace an architecture that has been deployed over the course of the last 40 years. That’s how long mag stripe cards have been on the market.”

The security guidelines put in place by the major credit card companies were designed for collecting data at rest. That is no longer the world we live in, and today these standards don’t do enough to ensure retailers are protecting consumers’ data. The guidelines don’t require credit card information to be encrypted while traveling through a private computer network, and so hackers can steal data as it moves. PCI data security standards are failing us.

Online retailers also have a greater array of security tools at their disposal — tools that were created for the world we live in today, not the world of a decade ago. Square, for example, encrypts card data on the device. Stripe encrypts all card numbers on a disk with AES-256, and stores decryption keys on separate machines. PayPal’s security key offers a second authentication factor when you are logging in to your account. Online transactions from any reputable vendor are also protected by SSL certificates (to protect data in transit), firewalls, and regular systems scans. Furthermore, consumers are empowered to add extra security layers to online transactions. They can create strong passwords, sign up for identify theft protection services, and keep their anti-virus software up-to-date.

Perhaps the most exciting advancement in security technology is tokenization — described by Bain Capital Ventures managing director Matt Harris as “a system where you substitute a proxy set of identifying information for the real payment card data, so that merchants don’t have to handle this sensitive and regulated data and it isn’t exposed more than necessary.” Tokenization not only limits exposure, but also enable more rigorous identification features, such as a fingertip or picture of your face (as opposed to a pin number or signature). It will play a pivotal role in eliminating consumers’ fear of digital payments.

The Rise of Ecommerce

For all the reasons outlined above, online transactions can be more secure than offline transactions. Now let’s consider how that shift will affect the ecommerce industry as a whole.

Ecommerce is already experiencing significant growth. To put it simply, more people are buying more things online than ever before. Today, there are 191.1 million online buyers in the U.S.. and a whopping 80% of the Internet population has purchased something online. Ecommerce is growing fast at 9.5% a year, and is expected to outpace sales growth at brick-and-mortar stores over the next 5 years. eMarketer estimates that U.S. retail ecommerce sales will increase 15.5% in 2014 to reach $304.1 billion, up from $263.3 billion in 2013. That growth will represent more than 20% of the year’s $199.4 billion increase in total retail sales. Forrester estimates that by 2018, ecommerce will represent 11% of the market, which means a hefty 89% will still happen offline. Despite all this growth, we are still at the beginning of the shift to online.

There are a number of driving forces here, the first of which is the raw fact of Internet penetration. More people with access to the Internet means a greater pool of online shoppers. Secondly, we’ve got e-commerce innovation. Hordes of companies are creating exciting, new, and convenient online shopping experiences. Amazon (of course) puts anything you could ever need just a few clicks away, and offers bottom-of-the-barrel prices. Etsy makes it easy to browse and buy from millions of talented craftspeople you never would have encountered on your own. Wanelo makes online shopping social. Gilt and Zulily offer limited time sales for high-quality items at a steep discount. The list goes on, and there is an ecommerce experience out there to suit just about any preference.

Millennials, however, are less worried about security, and more likely to make online purchases than older consumers. In addition, the high-profile nature of the offline security breaches have created much wider awareness about offline threats. A survey conducted by AP shortly after the breaches found that more than one-third of Americans are more likely to use cash instead of credit or debit cards.

Clearly, all-cash is not a long-term solution. Consumers have grown accustomed to the convenience of credit and debit cards, as well as the perks, and any changes in payment behavior will only be temporary. Even chip technology, which will help make credit cards more secure, is by no means a silver bullet for offline transactions.

What will change, however, is the attitude toward online payments. The move to online is happening, and I predict these breaches will accelerate the process. Older consumers, who were previously wary of paying for things on the Internet, will become less so. At the same time, millennials are increasing their spending power. Together, these trends will fundamentally tip the balance between online and offline payments.